I'm attempting to access a 'ForwardedEvents' events log on a server using
el = new EventLog("ForwardedEvents", serverName);
this isn't working.
I believe it's not working because the log isn't contained in the registry where Eventlog would expect to find it (HKLM/System/CurrentControlSet/Services/Eventlog/.. ).
How would add the log to registry so it is found, or is there another method to access a log that's not specified in that location?
This is close to the other registry solution offered here, but this is how I did it on Windows 7, and will write to the Application log, not the Forwarded Events log:
Windows logo > type regedit
in the search and press Enter
Expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog
Find the Application
key and create a new key for your application: MyApp
In MyApp
, right-click the right side window in the blank area and select New > Expandable String Value. This will create a REG_EXPAND_SZ
entry. Give it the name EventMessageFile
.
Double-click the new entry to set a value. For the value, enter:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EventLogMessages.dll
Select OK.
Leave the (Default)
string value alone with its (value not set)
value.
Repeat two more times by replacing CurrentControlSet
with ControlSet001
and ControlSet002
.
And if you need to then move your application to another computer, you can right-click the key and select Export
. You save the file as a .reg
file, and then copy it to the next computer. There, you double-click to run it (while logged in as an Administrator). In this way, you don't have to manually re-create it, and for other apps, you can actually edit the .reg
file in Notepad and simply change the name of the app, save it (be sure to change the format to "All Files", so it retains the .reg
on the end, and not save it as a .txt
file), and then you can double-click it to run and insert the new app's EventLog key.
Remedied the issue by creating a new registry entry for the Log at: (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\LOGNAME).
Did this by.. ( on windows server 2008 R2 ) ..
1) Right Click on parent folder (eventlog) -> New -> Key
2) Name the key like the evtx file found at (C:\Windows\System32\winevt\Logs\LOGNAME)
3) In the right pane of the registry explorer, right click -> new -> Expandable String Value
4) Name the newly created REG_EXPAND_SZ "File"
5) Right click on the Name "File"
6) Modify
7)In the "Value Data" box, add path to evtx file like
( %SystemRoot%\System32\winevt\Logs\ForwardedEvents.evtx )
If you still want to do this the programmatic way as opposed to manually creating the log via the registry, there is a way. You need to check and see if the EventSource
exists first, and if it doesn't you need to create it. This has to happen all before you try to create an EventLog
instance with that source. Just note the latency between creation and use, so make sure to handle this (see http://msdn.microsoft.com/en-us/library/2awhba7a(v=vs.110).aspx for more information).
// Create the source, if it does not already exist.
if(!EventLog.SourceExists("MySource"))
{
//An event log source should not be created and immediately used.
//There is a latency time to enable the source, it should be created
//prior to executing the application that uses the source.
//Execute this sample a second time to use the new source.
EventLog.CreateEventSource("MySource", "MyNewLog");
Console.WriteLine("CreatedEventSource");
Console.WriteLine("Exiting, execute the application a second time to use the source.");
// The source is created. Exit the application to allow it to be registered.
return;
}
// Create an EventLog instance and assign its source.
EventLog myLog = new EventLog();
myLog.Source = "MySource";
// Write an informational entry to the event log.
myLog.WriteEntry("Writing to event log.");
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With